Hi,
Based on Monitoring Console query, I have created below query which will give you max cpu percentage usage by search but it will only provide cpu percentage if search runtime is greater than 10 seconds. For searches which took less than 10 seconds to run, splunk is not ingesting pct_cpu field in _introspection index.
`dmc_set_index_introspection` search_group=dmc_group_search_head search_group="*" sourcetype=splunk_resource_usage data.search_props.sid::* data.search_props.mode!=RT | `dmc_rename_introspection_fields` | eval search_label = if(isnotnull(label), label, sid) | stats max(elapsed) as runtime max(mem_used) as mem_used max(data.pct_cpu) as pct_cpu earliest(_time) as _time by search_label, type, mode, app, role, user, host | eval mem_used = round(mem_used, 2) | eval runtime = `dmc_convert_runtime(runtime)` | fields search_label, mem_used, pct_cpu, host, runtime, _time, type, mode, app, user, role | eval _time=strftime(_time,"%+") | rename search_label as Name, mem_used as "Memory Usage (MB)", pct_cpu as "CPU Percentage", host as Instance, runtime as Runtime, _time as Started, type as Type, mode as Mode, app as App, user as User, role as Role
I hope this helps.
Thanks,
Harshil
... View more